Pin dependencies and add integrity checks

[ewan-escience]

Linked dependencies, as in <script src="//cdn.jsdelivr.net/npm/docsify/lib/plugins/search.min.js"></script> don't have a version in their URL, meaning they will always point to the latest version. (Side note: why do these dependencies start with // instead of https://?). This has two risks:

1. A new version might break the guide (through a bug or a changed API)
2. A version with malicious code might be used

If you take off the last part of the path of these dependcies (e.g. https://cdn.jsdelivr.net/npm/docsify/lib/plugins/), you can navigate through the versions.

Furthermore, we should use integrity checks to ensure that the loaded code has not been altered with.

[bouweandela]

If we pin those dependencies, is there some way to automate updating them so we don't end up with very outdated dependencies one or two years from now?

[ewan-escience]

The point is to not update them automatically. But this would indeed require some regular maintenance.

If you don't think it's worth the effort, that's also fine, but I wanted to point out the risks we currently have.

[bouweandela]

I was thinking of automatically creating a pull request to update the version, so we can review if anything is broken. Would something like that be possible without too much effort?

[ewan-escience]

From this issue, this does not seem to be supported (yet) by dependabot and I haven't found any other tool that can do this, so it looks like we would have to write a tool ourselves if we want automatic pull requests.

[bouweandela]

From dependabot/dependabot-core#3228 (comment) it looks like renovate supports it? Or is that a mistake?